How to identify a Google user account by JWT? - flutter

I have a flutter Android app which implements Google sign in, and ASP.NET core Web API server, which using token-based authentication. Android app sends jwt token to server, which contains such information as email, username etc. So on server. I need a parameter, on which user can be authorized.
Does Google's JWT contains any information, which is unique for every account?
If jwt does not, is it possible to get a unique identifier after validating this token using GoogleJsonWebSignature.ValidateAsync(token)?

Related

Firebase Auth: How to sign in using id token?

Is there a way to share anonymous user sessions with Firebase Auth?
What I would like to is to get the current id token:
final idToken = FirebaseAuth.instance.currentUser!.getIdToken();
Then, use this idToken to authenticate the same anonymous user in a different app.
FirebaseAuth.instance.signInWithToken(idToken);
With signInWithCustomToken() method, you can use a custom auth token to sign in a user on different website. As documented here
Firebase gives you complete control over authentication by allowing
you to authenticate users or devices using secure JSON Web Tokens
(JWTs). You generate these tokens on your server, pass them back to a
client device, and then use them to authenticate via the
signInWithCustomToken() method.
You can create a custom token with the Firebase Admin SDK, or you can
use a third-party JWT library if your server is written in a language
which Firebase does not natively support.
The Firebase Admin SDK has a built-in method for creating custom
tokens. At a minimum, you need to provide a uid, which can be any
string but should uniquely identify the user or device you are
authenticating. These tokens expire after one hour.
After you create a custom token, you should send it to your client
app. The client app authenticates with the custom token by calling
signInWithCustomToken()
Also check out these links for more information and examples:
Authenticate with Firebase Using a Custom Authentication System
Firebase auth - login user from app in website
How to use the same firebase anonymous user in a flutter app

Moodle: Load Google SSO client library in custom page

I am developing the custom redirection page in moodle(Version 3.8). Which will check the valid google sso id_token received from query parameters and the details of that id_token will be crosschecked with moodle database. If the user will be valid as per database then it will automatically fetch the password for that user from database allow user to login.
How can i load the google sso client library in my custom page for id_token verification and details, also how can i access moodle database in random custom page?

How to implement external login to identity backend from Xamarin

I have a website using ASP.NET Core, which uses MS Identity and external login from Facebook.
I have a Xamarin app that logs to this backend via login/password using Xamarin.Auth. I am wondering which is the best way to allow external login to Facebook from the app?
Should I create a separate Facebook app for Android or should I use the same as the website?
What would be the flow?
I am thinking of something like:
Using the Facebook sdk to log in
Pass the token to the server
Check from server side if the email exists or the FB user id exists
If yes check whether the app is registered using Facebook and if yes login
If no create an account
But until now I haven't stored the user's Facebook Id (only the email, that the user can also modify).
Xamarin.Auth is client library and currently has no server side implementations.
So, your server is Protected Resource and Facebook will be Authorisation Server. After you obtain your tokens (access_token and refresh_token) you would try to access Protected Resource presenting access_token as a credential. Protected Resource will perform token introspection (this could be separate service-server) which will decode the token, lookup username (mail) and check expiration of the token.
This is not specified in draft (RFC) so check how FB does token introspection.
Few links for more info:
How to validate an OAuth 2.0 access token for a resource server?
http://blog.api-security.org/2014/10/oauth-20-token-introspection-profile.html
https://www.quora.com/In-OAuth-2-0-how-do-resource-servers-assert-a-token-issued-by-an-authorization-server
https://connect2id.com/products/server/docs/api/token-introspection
https://leastprivilege.com/2015/12/27/oauth-2-0-token-introspection-middleware-for-asp-net-5/

Use identity server 3 to exchange a facebook token for my application token

I'm investigating how to use id server to provide auth services for a native mobile app that will talk to a Web API that we are developing. I started off with the flow as described in the MVC walkthrough - so the user is redirected by ID Server to FB (with acr_value/idp) and then redirected back after sign-in, where I can do the claims transformation and issue a token for our application.
The developers of the native client have concerns about this though, and would rather use the FB sdk to log the user in to FB, instead of having id server issue the token after redirections. The following issue on the previous version of ID server explains this well:
https://github.com/IdentityServer/IdentityServer2/issues/503
How would I go about doing this with id server 3?
This is a perfect use case for a custom grant.
1) first do native FB login
2) send FB token to IdentityServer token endpoint using custom grant
3) write a custom grant validator that validates the FB token
4) return JWT token for your APIs
Documentation:
https://identityserver.github.io/Documentation/docsv2/advanced/customGrantTypes.html

Login flow from mobile app on web server with Facebook Oauth

I have a web application built with Spring and spring security that allows user to register ether via Facebbok or creating an account, in both cases an web app account is created. So the 2 registering methods are the following::
Registering directly on the web app: the username and password are stored in the db.
Registering via facebook: the user logins into facebook (Outh), the web app retrieve the data from facebook to fill the registration form. The web app prompt the user to create the webapp account. In my database I store web app user and facebook data (access token etc..), so that the second time I try to login I can match the facebook account with the web app account (I use spring social).
Now I'm creating a rest service for the mobile app and it requires authentication. I use the basic http auth to access the web services.
My question now is how to Log in a user in my web application using spring security?
What I thought was:
Mobile app logs into facebook and retrieve the access_token (no contact with the web application server yet)
Mobile app sends access token to the web app
Web app checks if the access token is valid ether with db or directly with facebook
In case is valid the access token, the app sends back to the mobile app the username and the password (could be encrypted with a private key algorithm)
Once receive the web app user and password the user is authenticated and this information are stored on the mobile and used for http auth.
Do you think this flow is secure? do you have other ideas?
Thank you in advance